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DETAILED ACTION 
Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 

all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-8, 10-15, 17-19,21-25,27-28 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Mashayekhi (US 5,818,936), and further in view of Ohashi 
et al (US 5,761,309). 

a. Referring to claim 1: 

i. Mashayekhi teaches: 

(1) a group certificate issuing apparatus for issuing a 
group certificate on the client side based on original group information including the 
name of the group to which the related user belongs when there is said remote 
processing request [i.e. referring to Figure 2, element 220 function is to generate a 
certificate with username/groupname and crypto key binding together (column 5, 
lines 34-55)]; and 

(2) a group certificate verification unit for verifying a 
legitimacy of said group certificate transmitted from the client side in said server, 
wherein said group certificate issuing apparatus adds an issuance side processed value 
obtained by processing the information of the original group information by a 
cryptographic function to the original group information and defines this as the group 
certificate [i.e., referring to Figure 2 again, when the authentication inquiry is 
received at the controller, the workstation API 214 verifies that the user is a valid 
network client (i.e., has successively logged-on and has been authenticated to 
the NDS) by requesting the proper application secret for program 236. In 
response to this latter request^ the database API 206 accesses the authentication 
database 204 and provides an encrypted application secret along with the private 
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key for decrypting the secret. The workstation API then decrypts and forwards 
the proper application secret (and user identity) to the particular application 
program, (column 6, lines 60-67 through column 7, lines 1-27)]; and 

(3) said group certificate verification unit processes part 
of the information included in the received group certificate by an identical cryptographic 
function to obtain a verification side processed value and performs said authentication 
by confirming that said issuance side processed value and said verification side 
processed value coincide [i.e., Figures 4A and 4B are a flow chart of the function 
performed by workstation API 214 in response to the authentication request 
generated by a particular program. As noted, when a user 201 attempts to access 
a particular application program, such as a local application 240 or network- 
based application program 236, the particular application program requires that 
the user be authenticated prior to accessing its processes or data. The function 
begins at block 400 and proceeds to block 402 where workstation API 214 
receives this authentication inquiry from the application program. Upon receipt, 
the workstation API 214 determines whether the user is a valid network client at 
block 404. If the user is not a valid network client, workstation API 214 denies the 
user access to the distributed authentication service at block 406. However, if the 
user is a valid network client, then the workstation API 214 requests the proper 
application secret for the particular application program at block 410. For 
example, the workstation API 214 calls a "Retrieve Application Secret" API for 
retrieving the user's identity and proper application secrets. Workstation API 214 
provides the application identifier of the particular application as part of the API 
call. The request to the database API 206 is preferably encoded in a network 
protocol element in a matter that is well-known in the art. The database API 206, 
in a matter described below with reference to FIG. 5, returns encrypted data and a 
keychain private key to the workstation API 214. At block 414, the workstation 
API 214 receives the encrypted data and keychain private key (column 7, lines 10- 
38)]. 
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ii. Although Mashayekhi does address the authentication 
processes, Mashayekhi does not explicitly mention: 

(1) performs said authentication by confirming that said 
issuance side processed value and said verification side processed value coincide. 

iii. Ohashi teaches: 

(1) If the encrypted Res' coincides with Res, a user 
certificate Cert and an authentication information Aulnfo are issued for the smart card 
10. Contents of the issued user certificate Cert and authentication information Aulnfo 
are indicated in Figure 11 as an example (column 13, lines 6-10). 

iv. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) have applied the coincidence of issuance and 
verification of a certification used in Ghashi^s authentication processes into 
Mashayekhi's distributed network system in order to confirm that a user who requests 
network services or communications (hereinafter called as a network user) is a 
legitimate user, it is necessary at the network side to authenticate this user (column 1, 
lines 10-13 of Ohashi). 

V. The ordinary skilled person would have been motivated to: 

(1) have applied the coincidence of issuance and 
verification of a certification used in Ohashi's authentication processes into 
Mashayekhi's distributed network system for identifying a user by network when the 
user intends to get network services (column 1, lines 4-6 of Ohashi). 
b. Referring to claim 2: 

i . Mashayekhi further teaches: 

(1) wherein said group certificate issuing apparatus 
includes secret information assigned to said groups in said original group information 
and performs the processing by said cryptographic function, said group certificate 
verification unit includes said secret information assigned to the groups in part of 
information included in said received group certificate and performs the processing by 
said cryptographic function, and said group certificate issuing apparatus and said server 
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share identical secret information for identical groups [i.e., the group of encrypted 
application secrets associated with the user Is referred to as a "keychain." Each 
keychain Is assigned a public/private key pair, with all secrets in the keychain 
being encrypted with the public key. The user may be associated with one or 
more keychains, each of which may be further associated with different secrets. 
Since these secrets correspond to application programs, the association of 
programs to keychains may be based upon various characteristics, such as the 
user's rights with respect to the programs. Furthermore, each application 
program may be accessible by the same or different users so that, e.g., those 
users having the same access rights for a program may utilize the same keychain 
containing each user's secrets for the programs (column 3, lines 40-53)]. 

c. Referring to claim 3: 

i . Mashayekhi further teaches: 

(1) wherein said cryptographic function is a hash function 
[i.e., a user logs into the workstation with the user's password and the 
workstation derives a secret, non-complimentary, encryption key by applying a 
known hash algorithm to the password (column 2, lines 5-8)]. 

d. Referring to claims 4-6: 

1. These claims have limitations that is similar to those of claim 
1, thus they are rejected with the same rationale applied against claim 1 above. 

e. Referring to claims 7-8, 18-19: 

i. These claims have limitations that is similar to those of claim 
3, thus they are rejected with the same rationale applied against claim 3 above. 

f. Referring to claim 10: 

\ . Mashayekhi further teaches; 

(1) wherein it cooperates with a unique ID generation 
means provided in said client, and the unique ID generation means generates an 
authentication ID for mutual authentication between said client and said server, contains 
the authentication ID in said group certificate, and transmits the same to said server 
[i.e., the flexible association of users, keychains and application secrets enables 
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each user to have its own unique user Identity and application secret for every 
application on the network. Thus, knowledge of one application secret does not 
compromise the security of all remaining application secrets associated with the 
user (column 4, lines 20-25). In addition, for every valid network user, the 
attributes of user object 302 include a login public/private key pair and a secret 
(e.g., the hash of the password). The user object 302 is accessed by the NDS to 
initially authenticate the user when the user logs on to the network. An 
application object 306 includes, for an associated application program, a program 
name, a list of users that have authority to access the program, and an 
application program identifier (ID). The program name attribute is a unique 
descriptive term that identifies the application program. The ID is a unique 
character string typically supplied by the application manufacturer that identifies 
the application program. However, the present invention reserves a pre-assigned 
range of IDs for programs that have no IDs assigned to them by their 
manufacturer. In the preferred embodiment of the present invention, the ID is an 
ASN.1 (abstract syntax notation; a CCITT/ISO standard) compliant identifier 
defined as a "Free Form Identifier" (column 6, lines 21-39)]. 

g. Referring to claims 11,21: 

i. These claims have limitations that is similar to those of 
claims 1 and 10, thus they are rejected with the same rationale applied against claims 1 
and 10 above. 

h. Referring to claim 12: 

i. Mashayekhi further teaches: 

(1) wherein it cooperates with an encryption processing 
unit provided in said client, and the encryption processing unit establishes an encryption 
session from the client to said server with said temporary password as an encryption 
key [i.e., a user logs into the workstation with the user's password and the 
workstation derives a secret, non-complimentary, encryption key by applying a 
known hash algorithm to the password (column 2, lines 5-8)]. 

i. Referring to claim 13: 
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i. Mashayekhi further teaches: 

(1) wherein provision is made of a log file for recording 
the log of the session according to each said remote processing request for each of said 
users, and supervision of each user is performed based on the log [i.e., referring to 
Figure 1, in general, each of tlie computer nodes Includes memory means 108 for 
storing software programs and data structures associated with the cryptographic 
methods and techniques (column 5, lines 1-5)]. 

j. Referring to claims 14. 23-24: 

i. These claims have limitations that is similar to those of claim 
13, thus they are rejected with the same rationale applied against claim 13 above, 
k. Referring to claim 15: 

i. This claim has limitations that is similar to those of claim 10, 
thus it is rejected with the same rationale applied against claim 10 above. 
I. Referring to claim 17: 

i. Mashayekhi further teaches: 

(1) wherein provision is made of a user-group mapping 
storage means, and in the user-group mapping storage means, a plurality of different 
groups can be assigned for one said user [i.e., the novel distributed service 201 
comprises an exchange controller 207 coupled to an authentication database 204 
containing a group of encrypted application secrets associated with the user 
(column 5, lines 60-64). Furthermore, the authentication database 204 is 
preferably a novel secure database containing groups of application secrets for 
predetermined application programs. Each group of application secrets, referred 
to as a "keychain", is assigned a public/private key pair by the KG 218 when the 
keychain is created. The database 204 also contains user objects which 
associate a given user with one or more keychains. The database API 206 
manages the authentication database 204 in response to queries generated by 
workstation API 214. (column 6, lines 3-11)]. 
m. Referring to claim 22: 
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i. This claim has limitations that is similar to those of claim 12, 
thus it is rejected with the same rationale applied against claim 12 above. 
0. Referring to claim 25: 

i. This claim has limitations that is similar to those of claim 10, 
thus it is rejected with the same rationale applied against claim 10 above, 
p. Referring to claim 27: 

i. Mashayekhi further teaches: 

(1) wherein it cooperates with a group certificate 
temporary storing unit provided in said server, and, when the assignment of a plurality 
of different groups is enabled for one said user, it verifies said group certificates 
received from said client, stores them in the group certificate temporary storing unit, and 
switches and uses the stored group certificates in accordance with said predetermined 
authorization necessary for the request with respect to the following remote processing 
requests [i.e., Figure 2 discloses a certificate storage server (CSS) node for 
storing certificate (column 4, lines 47"48). Furthermore, the workstation and 
server nodes may be configured as a distributed authentication service 201 that 
automates an authentication exchange between a user interface 112 200. The 
novel distributed service 201 comprises an exchange controller 207 coupled to an 
authentication database 204 containing a group of encrypted application secrets 
associated with the user. The controller 207, in turn, comprises an application 
program interface (API) that is distributed among user workstations (i.e., 
workstation API 214) and the authentication database (i.e., the database API 206). 
Illustratively, both the database API and authentication database reside in a 
network directory services (NDS) system (column 5, lines 57-67 through column 
6, lines 1-2)]. 

q. Referring to claim 28: 

i. This claim has limitations that is similar to those of claim 27, 
thus it is rejected with the same rationale applied against claim 27 above. 
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3. Claims 9, 16, 20, 26 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mashayekhi (US 5,818,936), further in view of Ohashi et a! (US 
5,761,309), and further in view of Perlman (US 5,892,828). 
a. Referring to claim 9: 

i. Mashayekhi briefly teaches the hash algorithm, however the 
detail of the hash algorithm has not been shown precisely. On the other hand, Perlman 
teaches: 

(1) Perlman's invention generally relates to a technique 
for verifying the presence of a user to applications stored on a distributed network 
system using a single password. Briefly, the technique generally comprises computing 
a one-way hash value of the password that is initially provided by the user to a 
workstation during a login procedure (column 3, lines 34-39). Referring to Figure 4 for 
the sequence of steps for dynamically verifying the presence of a user when 
authenticating the user to various services and applications in a distributed network 
system. 

ii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) clearly show the sequence of steps in hash algorithm 
for authentication processes as in Perlman for verifying the identity of a user of a 
distributed network system prior to allowing the user access to system resources and 
applications is referred to as authentication (column 1, lines 20-22 of Perlman). 

iii. The ordinary skilled person would have been motivated to: 
(1) cleariy show the sequence of steps in hash algorithm for 

authentication processes as in Periman since cryptography is often used to preserve 
the confidentiality of the transmitted password when authenticating the user to remote 
applications. Furthermore, a well-known cryptographic technique used to perform 
remote authentication is public key cryptography, wherein a public key system may be 
used in such a way as to ensure that information being transmitted cannot be 
understood by an eavesdropper, as well as to ensure the authenticity of the sender of 
the information (column 1, lines 40-54 of Perlman). 
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Conclusion 

3. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

a. Euchner et al (US 6, 052, 787) discloses a group-based 
cryptographic code management method is proposed, in which a security policy which 
is used in a further communication is negotiated between group computer units and a 
first computer unit (see abstract). 

b. Nessett et al (US 6, 055, 236) discloses methods and system for 
locating network services with distributed network address translation. Digital 
certificates are created that allow an external network device on an external network, 
such as the Internet, to request a service from an internal network device on an internal 
distributed network address translation network, such as a stub local area network (see 
abstract). 

c. Parker (US 5, 339, 403) discloses a distributed computer system, 
has a number of users and target applications. When a user logs on to the system, an . 
authentication unit issues the user with a privilege attribute certificate (PAC) 
representing the user's access rights (see abstract). 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Thanhnga (Tanya) Truong 
whose'^elephone-niimberis 57T-272-3858. ' 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Kim Vu can be reached at 571-272-3859. The fax and 
phone numbers for the organization where this application or proceeding is assigned is 
703-872-9306. 



Any inquiry of a general nature or relating to the status of this 
application or proceeding should be directed to the receptionist whose telephone 
number is 571-272-2100. 
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